← Blog
AWS SES DMARC Setup: Email Authentication in 5 Steps

By DMARCdrift Team

AWS SES DMARC Setup: Email Authentication in 5 Steps

5 min readdmarcspfdkimsetup-guideemail-authentication

To set up DMARC on AWS SES, verify your domain, enable Easy DKIM (three CNAMEs), add an SPF TXT record including amazonses.com, set a custom MAIL FROM subdomain for alignment, then publish a _dmarc TXT record with p=none and your reporting address. The whole process takes about 15 minutes in the AWS console. If the relationship between SPF, DKIM, and DMARC isn't clear yet, that primer is worth a read first. If you're standing up email for a brand-new project, our email setup guide for new SaaS covers the broader picture this guide fits into.

This guide covers the exact steps in the AWS console and your DNS provider. If you're using Route53, it's even simpler: SES can add the records for you.

Step 1: Verify your domain in SES

SES won't send from a domain you haven't verified. Log into the AWS console and navigate to SES → Verified identities → Create identity.

Select Domain and enter your domain name. SES will show you three options for verification:

  1. DNS CNAME record (fastest if you use Route53)
  2. Email verification (sends a confirmation to admin@yourdomain.com)
  3. DKIM-only (doesn't verify ownership, just adds DKIM records)

If you use Route53, click Create identity and SES will offer to add the verification record automatically. If you manage DNS elsewhere, SES gives you a CNAME to add manually. Either way, verification typically completes within minutes.

Once the status shows Verified, you can send from this domain.

Step 2: Set up Easy DKIM

With the domain still selected in SES, look for the DKIM section. Click Create DKIM (or Set DKIM).

SES will generate three CNAME records, not one. All three must exist in DNS for DKIM signing to work. They'll look like this:

[random_token_1]._domainkey.yourdomain.com CNAME [random_token_1].dkim.amazonses.com
[random_token_2]._domainkey.yourdomain.com CNAME [random_token_2].dkim.amazonses.com
[random_token_3]._domainkey.yourdomain.com CNAME [random_token_3].dkim.amazonses.com

If you use Route53, SES can add all three automatically. If you manage DNS elsewhere, copy each record and paste it into your DNS provider. The names are subdomains of _domainkey.yourdomain.com, and each points to a different dkim.amazonses.com subdomain.

Wait for DNS propagation (usually under 10 minutes) and the SES console will show DKIM signing enabled with three green checkmarks.

Step 3: Add SPF

Your SPF record tells mail servers that Amazon SES is authorized to send on behalf of your domain. Create a TXT record at your domain root:

v=spf1 include:amazonses.com ~all

If you already have an SPF record, add include:amazonses.com to it instead of replacing it. The order doesn't matter:

v=spf1 include:sendgrid.net include:amazonses.com ~all

Verify the record propagated using the SPF Record Checker. It should show no syntax errors and the amazonses.com include should be recognized.

Step 4: Add a custom MAIL FROM domain (optional but recommended)

By default, SES bounces and complaints come from an amazonses.com subdomain. This means your SPF alignment is relaxed-only; receivers can see the mail came from Amazon, but the envelope sender domain differs from your From: header domain.

To fix this, create a custom MAIL FROM domain. In SES, go to Verified identities → your domain → MAIL FROM settings and enter mail.yourdomain.com (or any subdomain you control).

SES will ask you to add two records:

  1. An MX record:
mail.yourdomain.com MX 10 feedback-smtp.yourdomain.amazonses.com
  1. A TXT record for bounce messages:
mail.yourdomain.com TXT "v=spf1 include:amazonses.com ~all"

Once these are live, SES will align the envelope sender to your domain and SPF alignment becomes strict, a significant improvement for deliverability.

Step 5: Publish your DMARC record

Now that SPF and DKIM are working, publish a DMARC record to monitor mail sent from your domain. Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:d-{domain_id}@in.dmarcdrift.com

Replace {domain_id} with the UUID you see in your DMARCdrift dashboard after adding the domain. (If you haven't signed up yet, you can point it at your own email for now and update it later.)

p=none means messages failing DMARC still get delivered; you're just collecting visibility into misalignment and spoofing attempts. This is the right starting point for any new domain.

Verify your DMARC record using the DMARC Record Checker. It should show your policy and your rua address.

Test it

Send a test email from SES using the AWS console (SES → Verified identities → your domain → Send test email) or via the API. Check the headers of the received message:

dkim=pass (signature verified)
spf=pass (amazonses.com authorized)
dmarc=pass (SPF and DKIM aligned)

If you see dmarc=pass, everything is working. If not, common issues:

  • DKIM records incomplete: Check that all three CNAME records are in DNS.
  • SPF syntax error: Use the SPF Checker to catch missing or duplicate includes.
  • Alignment broken: If your From: header shows a different domain than your MAIL FROM, DMARC will fail. Use a custom MAIL FROM domain to fix this.
  • DMARC record missing: Double-check the record exists at _dmarc.yourdomain.com.

Production access

If you're still in SES Sandbox, you can only send to verified addresses. Request production access via the AWS Support Center (no charge). The authentication setup is identical; you just gain the ability to send to any address.

Once your DMARC record is live, aggregate reports will start arriving within 24--48 hours. DMARCdrift turns the XML into a readable digest, free for one domain.

Get started free →